Ransomware : Your Worst IT Nightmare
Ransomware has become an escalating cyberplague that represents an enterprise-level threat for businesses poorly prepared for an attack. Multiple generations of crypto-ransomware such as CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for years and continue to cause damage. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit and Nephilim, plus daily as yet unnamed newcomers, not only encrypt on-line files but also infect all configured system protection mechanisms. Information synched to off-site disaster recovery sites can also be ransomed. In a poorly designed system, it can make automatic restoration useless and effectively knocks the entire system back to zero.
Getting back on-line programs and information following a ransomware outage becomes a race against time as the targeted business struggles to stop lateral movement and eradicate the virus and to resume enterprise-critical activity. Because crypto-ransomware needs time to replicate, penetrations are often launched during nights and weekends, when successful penetrations are likely to take longer to notice. This compounds the difficulty of promptly mobilizing and organizing a knowledgeable response team.
Progent has an assortment of support services for securing Pasadena businesses from ransomware penetrations. These include team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security solutions with artificial intelligence technology to rapidly discover and disable day-zero cyber threats. Progent in addition can provide the assistance of veteran crypto-ransomware recovery professionals with the talent and perseverance to reconstruct a breached system as rapidly as possible.
Progent's Ransomware Restoration Services
Following a crypto-ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the needed codes to decrypt any of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be around $13,000 for small organizations. The alternative is to setup from scratch the essential elements of your IT environment. Absent the availability of essential information backups, this requires a broad complement of skill sets, top notch project management, and the willingness to work non-stop until the task is complete.
For twenty years, Progent has provided professional Information Technology services for companies throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned advanced certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of expertise gives Progent the ability to knowledgably ascertain important systems and re-organize the remaining pieces of your Information Technology system after a ransomware penetration and configure them into a functioning system.
Progent's ransomware team of experts utilizes best of breed project management tools to coordinate the sophisticated recovery process. Progent appreciates the importance of working rapidly and in unison with a customerís management and IT resources to prioritize tasks and to put essential services back online as soon as humanly possible.
Client Story: A Successful Ransomware Attack Response
A client hired Progent after their network was crashed by Ryuk ransomware. Ryuk is believed to have been created by North Korean state sponsored cybercriminals, possibly adopting algorithms leaked from the United States NSA organization. Ryuk attacks specific businesses with little or no ability to sustain disruption and is one of the most lucrative instances of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer located in the Chicago metro area with about 500 staff members. The Ryuk attack had brought down all company operations and manufacturing processes. The majority of the client's data backups had been on-line at the start of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and praying for the best, but ultimately made the decision to use Progent.
"I canít tell you enough about the support Progent gave us throughout the most critical period of (our) companyís life. We had little choice but to pay the cybercriminals if not for the confidence the Progent experts provided us. That you could get our e-mail and critical servers back on-line quicker than a week was incredible. Every single person I worked with or e-mailed at Progent was totally committed on getting us back online and was working non-stop to bail us out."
Progent worked hand in hand the customer to quickly get our arms around and prioritize the most important applications that needed to be recovered to make it possible to continue business functions:
To start, Progent adhered to ransomware penetration mitigation best practices by stopping lateral movement and disinfecting systems. Progent then started the task of rebuilding Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Exchange email will not operate without Windows AD, and the businessesí MRP software leveraged Microsoft SQL, which needs Active Directory for security authorization to the information.
- Active Directory (AD)
- Microsoft Exchange Server
- MRP System
Within 2 days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then helped perform setup and hard drive recovery of key servers. All Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Offline Data Files) on staff workstations and laptops in order to recover email data. A recent offline backup of the customerís financials/ERP systems made it possible to return these essential programs back on-line. Although significant work was left to recover completely from the Ryuk attack, core services were restored quickly:
"For the most part, the manufacturing operation never missed a beat and we made all customer deliverables."
During the following few weeks important milestones in the recovery process were achieved in tight cooperation between Progent consultants and the customer:
- Self-hosted web sites were restored with no loss of information.
- The MailStore Exchange Server containing more than 4 million archived messages was brought online and accessible to users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control functions were 100% operational.
- A new Palo Alto 850 security appliance was brought online.
- 90% of the user desktops and notebooks were back into operation.
"Much of what occurred those first few days is mostly a blur for me, but I will not forget the dedication each of your team put in to give us our business back. I have utilized Progent for the past ten years, possibly more, and every time I needed help Progent has shined and delivered as promised. This time was a Herculean accomplishment."
A possible business disaster was avoided through the efforts of dedicated professionals, a broad range of IT skills, and tight collaboration. Although in retrospect the crypto-ransomware penetration described here could have been blocked with current security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and appropriate security procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware incident, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, removal, and data disaster recovery.
"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get rested after we made it past the first week. Everyone did an impressive job, and if anyone is in the Chicago area, a great meal is my treat!"
Download the Crypto-Ransomware Removal Case Study Datasheet
To read or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware Recovery Consulting Services in Pasadena
For ransomware cleanup services in the Pasadena metro area, phone Progent at 800-462-8800 or see Contact Progent.